Here an interesting read that our community member O.J. sent in. Thank you O.J. for your contribution. This is good to know!

Enjoy this read,

Yours
Dr. D

Environments updated to BPM version 8.0.1.3 or 8.5.6 may have issues in the Process Portal or in a custom-written Coach, where data is not displayed as expected. Related SystemOut.logs will show:

[31/03/15 16:33:52:855 BST] 0000015a CallServiceAc E The servlet, callservice.do, is not configured to call Example; configuration option
"callservice-valid-services" is not configured to call services of type General System Service.

This is due to APAR JR50215 which is included in BPM 8.0.1.3 and 8.5.6
Because there is no access restriction based on service type when invoking a service using the callService URL, services that were meant for internal use only are exposed.
The fix enables administrators to restrict callable services by type. The fix is secure by default and only allows AJAX services to be invoked via the callService.do URL. If you have custom client applications relying on callService.do exposing service types other than Ajax Services, you need to add configuration as described below.

Edit your 100custom.xml to contain desired service screening. Administrators are given the ability to change this to allow any permutations of different services that will be allowed.
Be advised that opening multiple services to be executed by callService.do will introduce a possible security issue. In fact, even AJAX services could be used for an attack by an authenticated user, given they know specifics about the service.

Service developers should redesign any potential services to use something that will not be allowed to be executed.

If the <callservice-valid-services> tag is not added to 100custom.xml, Process Portal will default to only using AJAX services. Should you need to invoke callService.do to launch a service, you need to ensure there is a <valid-service-entry> tag (inside the <callservice-valid-services> tag) containing the type of the service you need to launch. An example to only run integration services is shown below:

Users may use any permutation of the service ID to allow specific types of services to be executed by callService.do.
Another example would be shown below, which will block everything except for Regular Services, AJAX Services, and SCA Services.